The MD2 Hash Function
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
The MD2 Hash Function is not One-Way Frédéric Muller D.C.S.S.I. Crypto Lab
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
A Concrete Situation
MD5-RSA MD2-RSA 1999–2014 1998–2008
What is the MD2 Hash Function ?
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Popular Hash Functions
• The SHA family (developed by NIST) – SHA-0 (collision found in August 2004) – SHA-1 – SHA-256 and sisters
• The MD Family (developed by RSA Labs) – MD2 – MD4 (collision found in 1996) – MD5 (collision found in 2004)
• Other algorithms – RIPEMD – HAVAL
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
The MD2 Hash Function
• It was designed by Ron Rivest in 1989 (published in a 1992 RFC) • Non-classical construction (early design) • Part of PKCS #1 v1.5 and 2.1 standards • Few cryptanalysis results : – Collision on a simplified version (Rogier-Chauvaud, 1995)
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Results in this paper
Important weaknesses of MD2 : • The compression function can be inverted with complexity 273 basic operations (meet-in-the-middle attack) • Consequence = Preimage and Second preimage attacks cost 2104 ⇒ MD2 is not a secure One-Way Hash
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Hash Functions
• Input = a message of arbitrary length • Output = a hash of fixed size (128 bits for MD2)
H:
{0,1}*
128
{0,1}
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Security of Hash Functions
• Collision resistance – It should be difficult to find M and M’ such that H(M) = H(M’) • Second preimage resistance – For a given M, it should be difficult to find M’ such that H(M) = H(M’) • Preimage resistance – For a given h, it should be difficult to find M such that H(M) = h
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Compression Function
• The basic tool is a compression function F message block Mi
intermediate hash Hi
F intermediate hash Hi+1
• Message blocks have length 128 bits for MD2.
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Iterated Hash Functions
IV M0 F H0
M1 F H1
Mn F Hn HASH
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Particularities of MD2
• not Merkle-Damgaard → Last message block = non-linear checksum • not Davies-Meyer → Dedicated compression function • All operations are byte-oriented
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
A basic tool
The basic function is Φ(X,Y) = Z = X ⊕ S(Y)
X Y
S
Z
where S is a 8→8 S-box
Φ is invertible when one input is known
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
MD2 compression function Hi 0 +1
(16 bytes)
Mi (16 bytes)
Mi ⊕ Hi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Function Φ •
•
X . . . 18 iterations . . . S Y Z •
•
•
Hi+1
•
•
•
•
•
•
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Representation Hi
18 columns
Mi ⊕ Hi
Mi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Hi+1 Intermediate values are stored in 3 matrices
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Attacks against F
Hi+1 = F(Hi,Mi) 2 “preimage” attacks against F : – Hi and Hi+1 are given, find Mi Complexity 295 – Hi+1 is given, find Mi and Hi Complexity 273
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
General Ideas of these Attacks
1. Determine portions of the state from known values (like Hi+1) ⇒ indeed Φ is “invertible” 2. Guess separately the two halves of the unknown. 3. “meet-in-the-middle” : find a match (≈ solution)
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
When Hi and Hi+1 are given Hi
(16 bytes)
Mi ⊕ Hi
Mi
•
•
•
•
•
•
•
•
•
0
•
•
•
•
•
•
•
•
•
X
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
18 columns
Hi+1
Reminder : update function is
X 28) Guess x (it costs Y
S
Z
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
General Idea Hi 18 columns
(16 bytes)
Mi
Mi ⊕ Hi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• Guess the left half of Mi • Guess the right half of Mi • Match intermediate values «in the middle»
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
“Meet-in-the-middle” attack Hi 18 columns
(16 bytes)
Mi
Mi ⊕ Hi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Hi+1
Guess 32+64=96 bits Determine 64 bits
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Summary
• This attack costs roughly 296 x 28 = 2104 • Works when Hi and Hi+1 are given, it retrieves ALL acceptable solutions Mi • When only Hi+1 is given, a similar attack finds an acceptable (Hi,Mi) costs 273
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Application to the whole hash
• Merkle-Damgaard : attacks against F turn into attacks against the whole hash • Here : last block of message must match the non-linear checksum • Idea : multi-collisions for hash functions (Joux-04)
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Chaining Attack
• Goal = find a preimage of some target x • Pick a sequence of intermediate hashes H0 … H128 such that – H0 = IV of MD2 = 0 – H128 = x – Two possible message blocks Mi and M’i at each step
Mi Hi
Hi+1 M’i
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Chaining Attack
• Apply only 128 times the previous attack against F • All messages map to x ⇒ we get “almost for free” 2128 preimages instead of just 1
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Chaining Attack
• 2128 different preimages of x • One should verify the checksum constraint • Costs 264 to identify • Overall Complexity = 128 attacks against F ≈ 2104
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Conclusion
• Preimage and second preimage Attacks for MD2 faster then 2128 (not practical yet) • MD2 is not a secure one-way hash function • General results (Kelsey/Schneier) do not apply well because MD2 is not MerkleDamgaard
The MD2 Hash Function is not One-Way Frédéric Muller D.C.S.S.I. Crypto Lab
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
A Concrete Situation
MD5-RSA MD2-RSA 1999–2014 1998–2008
What is the MD2 Hash Function ?
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Popular Hash Functions
• The SHA family (developed by NIST) – SHA-0 (collision found in August 2004) – SHA-1 – SHA-256 and sisters
• The MD Family (developed by RSA Labs) – MD2 – MD4 (collision found in 1996) – MD5 (collision found in 2004)
• Other algorithms – RIPEMD – HAVAL
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
The MD2 Hash Function
• It was designed by Ron Rivest in 1989 (published in a 1992 RFC) • Non-classical construction (early design) • Part of PKCS #1 v1.5 and 2.1 standards • Few cryptanalysis results : – Collision on a simplified version (Rogier-Chauvaud, 1995)
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Results in this paper
Important weaknesses of MD2 : • The compression function can be inverted with complexity 273 basic operations (meet-in-the-middle attack) • Consequence = Preimage and Second preimage attacks cost 2104 ⇒ MD2 is not a secure One-Way Hash
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Hash Functions
• Input = a message of arbitrary length • Output = a hash of fixed size (128 bits for MD2)
H:
{0,1}*
128
{0,1}
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Security of Hash Functions
• Collision resistance – It should be difficult to find M and M’ such that H(M) = H(M’) • Second preimage resistance – For a given M, it should be difficult to find M’ such that H(M) = H(M’) • Preimage resistance – For a given h, it should be difficult to find M such that H(M) = h
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Compression Function
• The basic tool is a compression function F message block Mi
intermediate hash Hi
F intermediate hash Hi+1
• Message blocks have length 128 bits for MD2.
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Iterated Hash Functions
IV M0 F H0
M1 F H1
Mn F Hn HASH
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Particularities of MD2
• not Merkle-Damgaard → Last message block = non-linear checksum • not Davies-Meyer → Dedicated compression function • All operations are byte-oriented
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
A basic tool
The basic function is Φ(X,Y) = Z = X ⊕ S(Y)
X Y
S
Z
where S is a 8→8 S-box
Φ is invertible when one input is known
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
MD2 compression function Hi 0 +1
(16 bytes)
Mi (16 bytes)
Mi ⊕ Hi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Function Φ •
•
X . . . 18 iterations . . . S Y Z •
•
•
Hi+1
•
•
•
•
•
•
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Representation Hi
18 columns
Mi ⊕ Hi
Mi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Hi+1 Intermediate values are stored in 3 matrices
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Attacks against F
Hi+1 = F(Hi,Mi) 2 “preimage” attacks against F : – Hi and Hi+1 are given, find Mi Complexity 295 – Hi+1 is given, find Mi and Hi Complexity 273
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
General Ideas of these Attacks
1. Determine portions of the state from known values (like Hi+1) ⇒ indeed Φ is “invertible” 2. Guess separately the two halves of the unknown. 3. “meet-in-the-middle” : find a match (≈ solution)
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
When Hi and Hi+1 are given Hi
(16 bytes)
Mi ⊕ Hi
Mi
•
•
•
•
•
•
•
•
•
0
•
•
•
•
•
•
•
•
•
X
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
18 columns
Hi+1
Reminder : update function is
X 28) Guess x (it costs Y
S
Z
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
General Idea Hi 18 columns
(16 bytes)
Mi
Mi ⊕ Hi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• Guess the left half of Mi • Guess the right half of Mi • Match intermediate values «in the middle»
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
“Meet-in-the-middle” attack Hi 18 columns
(16 bytes)
Mi
Mi ⊕ Hi
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Hi+1
Guess 32+64=96 bits Determine 64 bits
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Summary
• This attack costs roughly 296 x 28 = 2104 • Works when Hi and Hi+1 are given, it retrieves ALL acceptable solutions Mi • When only Hi+1 is given, a similar attack finds an acceptable (Hi,Mi) costs 273
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Application to the whole hash
• Merkle-Damgaard : attacks against F turn into attacks against the whole hash • Here : last block of message must match the non-linear checksum • Idea : multi-collisions for hash functions (Joux-04)
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Chaining Attack
• Goal = find a preimage of some target x • Pick a sequence of intermediate hashes H0 … H128 such that – H0 = IV of MD2 = 0 – H128 = x – Two possible message blocks Mi and M’i at each step
Mi Hi
Hi+1 M’i
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Chaining Attack
• Apply only 128 times the previous attack against F • All messages map to x ⇒ we get “almost for free” 2128 preimages instead of just 1
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Chaining Attack
• 2128 different preimages of x • One should verify the checksum constraint • Costs 264 to identify • Overall Complexity = 128 attacks against F ≈ 2104
Asiacrypt 2004 – The MD2 Hash Function is not One-Way
Conclusion
• Preimage and second preimage Attacks for MD2 faster then 2128 (not practical yet) • MD2 is not a secure one-way hash function • General results (Kelsey/Schneier) do not apply well because MD2 is not MerkleDamgaard
